AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2025-13704: The Autogen Headers Menu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'head_class' paramete

mediumvulnerability

security

Source: NVD/CVE DatabaseJanuary 9, 2026CVE-2025-13704

Summary

The Autogen Headers Menu WordPress plugin (all versions up to 1.0.1) has a stored cross-site scripting vulnerability (XSS, where attackers inject malicious scripts into web pages) in the 'head_class' parameter of the 'autogen_menu' shortcode. Authenticated attackers with Contributor-level access or higher can exploit insufficient input sanitization and output escaping to inject arbitrary scripts that execute when users view affected pages.

Vulnerability Details

CVSS Score

6.4(medium)

EPSS (30-day exploit probability)

EPSS: 0.0%

Classification

Attack SophisticationTrivial

Taxonomy References

CWE (Weakness Type)

CWE-79

CAPEC (Attack Pattern)

CAPEC-198 CAPEC-86

Original source: https://nvd.nist.gov/vuln/detail/CVE-2025-13704

First tracked: February 15, 2026 at 08:36 PM

Classified by LLM (prompt v3) · confidence: 95%